I am typing a proposal up to block all USB flash drives that have not been whitelisted. I just want to make sure I have the numbers correct as well as my understanding. When looking under Peripheral Control, what is the difference between Secure Removable Storage, and Removable Storage. Is this where approved devices would be seen after whitelist https://100001.onl/ ? Would this affect wireless keyboards and mice currently being used? Or do I have option to specify JUST flash drives? Company is hard to get security policies approved and used so thank you for the accurate info.

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Policy Question

I am typing a proposal up to block all USB flash drives that have not been whitelisted. I just want to make sure I have the numbers correct as well as my understanding.

When looking under Peripheral Control, what is the difference between Secure Removable Storage, and Removable Storage. Is this where approved devices would be seen after whitelist https://100001.onl/?
Would this affect wireless keyboards and mice currently being used? Or do I have option to specify JUST flash drives?

Company is hard to get security policies approved and used so thank you for the accurate info.

Added TAGs
[edited by: Erick Jan at 2:14 AM (GMT -8) on 12 Jan 2024]

Parents

0 Sophos User930 over 1 year ago

Secure removable are the devices where you plug them in, they typically auto-run some exe off a unencrypted smaller drive on the USB stick that prompts for a password to unlock the encrypted disk where you store the files. They are treated differently from USB so you can perhaps only allow secure removable storage if that's the policy.

Wireless keyboards and mice should have a different classid to disk drives. For example, if you look in Device Manager when a USB storage device is attached and look at the details of it, it will typically be "class = diskdrive" and the "classguid={4d36e967-e325-11ce-bfc1-08002be10318}". This will not be confused with class Bluetooth for example.

System-Defined Device Setup Classes Available to Vendors - Windows drivers | Microsoft Learn

Disk Drives
Class = DiskDrive
ClassGuid = {4d36e967-e325-11ce-bfc1-08002be10318}
This class includes hard disk drives. See also the HDC and SCSIAdapter classes.

Bluetooth Devices
Class = Bluetooth
ClassGuid = {e0cbf06c-cd8b-4647-bb8a-263b43f0f974}
(Windows XP SP1 and later versions of Windows) This class includes all Bluetooth devices.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Sophos User930 over 1 year ago

Secure removable are the devices where you plug them in, they typically auto-run some exe off a unencrypted smaller drive on the USB stick that prompts for a password to unlock the encrypted disk where you store the files. They are treated differently from USB so you can perhaps only allow secure removable storage if that's the policy.

Wireless keyboards and mice should have a different classid to disk drives. For example, if you look in Device Manager when a USB storage device is attached and look at the details of it, it will typically be "class = diskdrive" and the "classguid={4d36e967-e325-11ce-bfc1-08002be10318}". This will not be confused with class Bluetooth for example.

System-Defined Device Setup Classes Available to Vendors - Windows drivers | Microsoft Learn

Disk Drives
Class = DiskDrive
ClassGuid = {4d36e967-e325-11ce-bfc1-08002be10318}
This class includes hard disk drives. See also the HDC and SCSIAdapter classes.

Bluetooth Devices
Class = Bluetooth
ClassGuid = {e0cbf06c-cd8b-4647-bb8a-263b43f0f974}
(Windows XP SP1 and later versions of Windows) This class includes all Bluetooth devices.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data